Solved: The reason I asked is you are - Page 2

kevin.worton · ‎11-12-2015

Hi,

I have configured an 807 router to a DSL line which works fine.

I have configured an ASA to plug its external interface into the internal network on the 807. So the connections are Internal | ASA | 807 | DSL | Internet. If I connect to the internet while on a console session on the ASA I can ping via FQDN and everything seems fine. If I connect on the internal network of the ASA I cant see anything.

One issue I have is that I cannot get ADSM working. However for this moment I want to skip troubleshooting ADSM. Here is the ASA config:

ASA Version 8.4(1)
!
hostname ciscoasa
enable password ncnbYkIeyXTKKIQe encrypted
passwd 2KFQnbNIdI.2KYOU encrypted
names
!
interface Vlan2
 nameif outside
 security-level 0
 ip address 10.10.10.2 255.255.255.0
!
interface Vlan10
 nameif inside
 security-level 100
 ip address 192.168.10.1 255.255.255.0
!
interface Ethernet0/0
 switchport access vlan 2
!
interface Ethernet0/1
 switchport access vlan 10
!
interface Ethernet0/2
!
interface Ethernet0/3
!
interface Ethernet0/4
!
interface Ethernet0/5
!
interface Ethernet0/6
!
interface Ethernet0/7
!
ftp mode passive
dns domain-lookup outside
dns server-group DefaultDNS
 name-server 8.8.8.8
 name-server 194.72.9.38
object network obj_any
 subnet 0.0.0.0 0.0.0.0
object network internal-lan
 subnet 192.168.10.0 255.255.255.0
object network inside_mapped
 subnet 192.168.10.0 255.255.255.0
access-list allow_internet extended permit ip host 192.168.10.1 host 10.10.10.2
pager lines 24
logging console debugging
logging buffered warnings
logging asdm informational
mtu outside 1500
mtu inside 1500
no failover
icmp unreachable rate-limit 1 burst-size 1
asdm image disk0:/asdm-641.bin
no asdm history enable
arp timeout 14400
!
object network internal-lan
 nat (inside,outside) static inside_mapped
access-group allow_internet out interface outside
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
timeout tcp-proxy-reassembly 0:01:00
dynamic-access-policy-record DfltAccessPolicy
aaa authentication http console LOCAL
aaa authentication ssh console LOCAL
http server enable
http 192.168.10.0 255.255.255.0 inside
http 0.0.0.0 0.0.0.0 inside
no snmp-server location
no snmp-server contact
snmp-server enable traps snmp authentication linkup linkdown coldstart warmstart
telnet timeout 5
ssh 0.0.0.0 0.0.0.0 outside
ssh 0.0.0.0 0.0.0.0 inside
ssh timeout 5
ssh version 2
console timeout 0
dhcpd auto_config outside
!
dhcpd address 192.168.10.5-192.168.10.254 inside
dhcpd enable inside
!
threat-detection basic-threat
threat-detection statistics access-list
no threat-detection statistics tcp-intercept
webvpn
username adminssh password s7VKH.L6lL1y418g encrypted privilege 15
!
class-map inspection_default
 match default-inspection-traffic
!
!
policy-map type inspect dns preset_dns_map
 parameters
  message-length maximum client auto
  message-length maximum 512
policy-map global_policy
 class inspection_default
  inspect dns preset_dns_map
  inspect ftp
  inspect h323 h225
  inspect h323 ras
  inspect rsh
  inspect rtsp
  inspect esmtp
  inspect sqlnet
  inspect skinny
  inspect sunrpc
  inspect xdmcp
  inspect sip
  inspect netbios
  inspect tftp
  inspect ip-options
!
service-policy global_policy global
prompt hostname context
call-home
 profile CiscoTAC-1
  no active
  destination address http https://tools.cisco.com/its/service/oddce/services/DDCEService
  destination address email callhome@cisco.com
  destination transport-method http
  subscribe-to-alert-group diagnostic
  subscribe-to-alert-group environment
  subscribe-to-alert-group inventory periodic monthly
  subscribe-to-alert-group configuration periodic monthly
  subscribe-to-alert-group telemetry periodic daily
Cryptochecksum:5bf16e3cb259e2a54ea4ded75381288e
: end

The default route is via 10.10.10.1 which is the 807 router.The router can see the firewall on 10.10.10.2 but cannot see the internal 192.168.10.X range. The router has a route for 192.168.10.0 via 10.10.10.2.

I cannot SSH either so I am guessing there is something up with an access-list maybe. Any pointers in the right direction would be appreciated.

kevin.worton · ‎11-13-2015

There is nothing on the router which I can see.

Here is the config:

interface Ethernet0
 no ip address
!
interface Ethernet0.1
 encapsulation dot1Q 101
 ip address dhcp
 pppoe enable group global
 pppoe-client dial-pool-number 1
!
interface Ethernet0.2
 pppoe enable group global
!
interface ATM0
 no ip address
 no atm ilmi-keepalive
!
interface FastEthernet0
 switchport access vlan 10
 no ip address
!
interface FastEthernet1
 switchport access vlan 10
 no ip address
 spanning-tree portfast
!
interface FastEthernet2
 no ip address
!
interface FastEthernet3
 no ip address
!
interface Cellular0
 no ip address
 encapsulation slip
!
interface Vlan1
 no ip address
 no ip redirects
 no ip unreachables
 no ip proxy-arp
 ip flow ingress
 ip tcp adjust-mss 1452
 shutdown
!
interface Vlan10
 ip address 10.10.10.1 255.255.255.0
 no ip redirects
 no ip unreachables
 no ip proxy-arp
 ip flow ingress
 ip nat inside
 ip virtual-reassembly in
 ip tcp adjust-mss 1452
!
interface Vlan12
 no ip address
!
interface Vlan101
 no ip address
!
interface Dialer0
 ip address negotiated
 no ip redirects
 no ip proxy-arp
 ip nat outside
 ip virtual-reassembly in
 encapsulation ppp
 dialer pool 1
 dialer-group 1
 ppp authentication chap pap callin
 ppp chap hostname additives@btconnect.com
 ppp chap password 0 rockwood1
 ppp pap sent-username additives@btconnect.com password 0 rockwood1
 no cdp enable
 service-policy input POL1
!
ip forward-protocol nd
no ip http server
ip http access-class 23
ip http authentication local
ip http secure-server
ip http timeout-policy idle 60 life 86400 requests 10000
!
!
ip nat inside source list 2000 interface Dialer0 overload
ip route 0.0.0.0 0.0.0.0 Dialer0
ip route 192.168.10.0 255.255.255.0 10.10.10.2
!
access-list 2000 permit ip 10.10.10.0 0.0.0.255 any
access-list 2000 permit icmp any any
access-list 2000 permit udp any eq domain any
access-list 2000 permit tcp object-group Wlan any
access-list 2000 permit udp object-group Wlan any
access-list 2000 permit tcp object-group ASA-Network1 any
access-list 2000 permit udp object-group ASA-Network1 any
access-list 2000 permit ip 192.168.10.0 0.0.0.255 any
no cdp run
!
!
control-plane
!
!
!
line con 0
 login local
 no modem enable
line aux 0
line 3
 no exec
line vty 0 4
 access-class 2000 in
 privilege level 15
 login local
 transport input telnet ssh
!
!
end

I will try running this command soon. Busy day for me here. Again cheers for the support with this.

Jon Marshall · ‎11-13-2015

I can't see anything obviously wrong now with either configurations.

And the translation table suggests it is working.

I thought it may be the NAT ie. not having an explicit statement on the ASA but the packet tracer test you ran showed it was allowed out.

Lets see what that command shows and then we can go from there.

Jon

kevin.worton · ‎11-13-2015

here is the xlate output

ciscoasa# show xlate
0 in use, 1 most used

I ran packet tracer again and it seems like it is working outbound again.

Maybe I can put the NAT rules back in there to see if this works ?

Jon Marshall · ‎11-13-2015

If it wasn't working then your router would show no translations but worth a try.

Add this line -

"nat (inside,outside) after-auto source dynamic any"

and then try again.

How exactly are you testing this ie. are you trying to connect to a web server ?

Jon

kevin.worton · ‎11-13-2015

Hi tried adding that in but it was moaning about incomplete command so I did this:

nat (inside,outside) after-auto source dynamic any interface

The way I am testing is a laptop with windows 80 browsing the web. I am trying DNS lookups but that doesnt appear to work.

I have tried bypassing dns and going to IP addresses for web servers on the browser but still nothing works.

Is that the correct NAT line becuase it wouldnt accept anything unless I typed in interface at the end.

kevin.worton · ‎11-13-2015

Now there are 2 used:

ciscoasa(config)# show xlate
0 in use, 2 most used

so it looks like NAT is the issue here.

I dont really want to blow away the configuration yet but the device isnt live as such.

Just thinking, I cant ssh to the device either or connect on HTTP although it is declared in the configuration. So I dont know if it needs that local nat rule.

Jon Marshall · ‎11-13-2015

I'm not sure it is NAT because you had an entry even without a specific NAT entry on the ASA.

Can you describe how eveything is physically connected together ?

Jon

kevin.worton · ‎11-13-2015

ASA is connected directly to the router.

ASA internal interface on the inside subnet is connected to a laptop directly.

Router internal interface is plugged directly to the ASA.

I have another internal router interface which is on a VLAN connected to the Wireless controller for access points which is using the internet.

Thats it really, nothing complex about it.

I still think that this ssh and http issue is realted because I cannot get into ADSM but weirdly enough I can get into the HTTP page. So it is like https is blocked too. But this might be a red herring so dont worry about it too much yet.

Jon Marshall · ‎11-13-2015

The reason I asked is you are using vlan 2 on the outside of the ASA and vlan 10 on the interface on the router the ASA connects to.

However there is no tagging so in theory it shouldn't matter although they should really match.

Can you temporarily add this to your ASA -

"access-list outside_access_in permit ip any 192.168.10.0 0.0.0.255"

then apply it to the interface -

"access-group outside_access_in in interface outside"

this is just so you can test with ping etc.

Then try a ping and traceroute from the laptop to an internet IP and see what you get.

Jon

kevin.worton · ‎11-13-2015

Thanks Ill try this out next week. I am not in here until some point next week so I will try that again.

It is strange that the ASA can see the internet from the outside interface, the NAT rules seem to be translating an the firewall rules are allowing it.

Anyway thanks very much for your assistance, I will post here next week once I manage to sort out the ICMP traffic.

Jon Marshall · ‎11-13-2015

No problem.

Just to let you know if you want to have ping etc available permanently then you can add ICMP inspection to your firewall which is a better solution than the acl.

That acl is just for testing and obviously shouldn't be left on there.

Just post back as you say when you get around to testing next week.

Jon

kevin.worton · ‎11-20-2015

Hi Jon. I thought I would update you. This is all working now.

I did an erase and a factory reset on the box and built it again. I dont know what was up before but since I built this it all works fine.

I tested the rules on the router and removed the NAT for the 192 networks and this stopped it working, so I think the NAT rules on the router were probably the main problem coupled with a few other issues.

Anyway thanks for your help. I have marked this as solved.

Jon Marshall · ‎11-13-2015

Sorry, yes I missed out the "interface" keyword.

So I don't think you need that.

How is the ASA connected to the router is it via a switch or not ?

Jon

kevin.worton · ‎11-13-2015

I have checked the router and everything seems to be ok here:

Gateway of last resort is 0.0.0.0 to network 0.0.0.0

S*    0.0.0.0/0 is directly connected, Dialer0
      10.0.0.0/8 is variably subnetted, 2 subnets, 2 masks
C        10.10.10.0/24 is directly connected, Vlan10
L        10.10.10.1/32 is directly connected, Vlan10
      86.0.0.0/32 is subnetted, 1 subnets
C        86.130.120.112 is directly connected, Dialer0
      172.16.0.0/32 is subnetted, 1 subnets
C        172.16.18.8 is directly connected, Dialer0
S     192.168.10.0/24 [1/0] via 10.10.10.2

I have tried pinging 10.10.10.2 and that comes back as expected but I cannot ping 192.168.10.1 which is the fireweall interface,so I think there is something up with the configuration of the ASA still.

I apprecate your suggestions so if you have any other advice please let me know and I will see if I can get back in the datacentre and terminal in again.

Jon Marshall · ‎11-13-2015

Can you try running that command.

Jon

ASA 5505 routing through an 807 DSL router